Cloudflare blocks


(Issay Issay) #1

i was building a client to do payments, very slowly crawling through the obstacles, however managed to send money last week and went to rest on the weekend. today i got back, tried to refresh a token and couldn’t. research has shown that cloudflare demands for captcha. changing ips (tried 5), entering captcha through the browsers, changing user agent do not help. an hour of work time now is in a trashcan. what should i do now, in order to work with your uat ?

a rhetorical question: was it that necessary to enable buggy strict checks of cloudflare for a test environment?

a second rhetorical question: will it die the same way on a real site?


(David Stancu) #2

@Issay_Issay, thanks for writing in. I work with UAT extensively for testing our SDKs and have never received a CloudFlare CAPTCHA challenge response while querying the API. For security purposes, we cannot disable CF. Just as an off-shot, are you per chance using any kind of anonymity service such as TOR, or even a popular VPN service? It is not uncommon to see a challenge query for those kinds of services because their publicly facing IPs serve a lot of traffic (not all of which is always “friendly”).

The next time this happens, can you please gather the headers and CF ray-id so that I can look into what we can do from our end?

Best,

David


(Issay Issay) #3

i do not use any vpns, tors, proxies or anything else like that.

what do you mean “next time” ? i can not use your api, because i’m blocked by cloudflare. how am i supposed to enter captcha using api?

besides, don’t you think that it’s strange to protect against scripts the urls that are supposed to be accessed by scripts? switching off protection against bots for api urls in cloudflare will not cause any security issues, i hope your system doesn’t rely on cloudflare bots detection to be secure, right?

on the other hand, i believe i won’t be the only one whose api requests will die when cloudflare will believe due to some fuzzy logic that the api request is issued by a script and not a human (what a surprise, yeh).

as i said, i tried 5 various ips today, i suppose it blocks by some logic that only they do know. i can of course start figuring out what it is they do not like, trying to imitate browsers and so on, but for some reason i believe it’s strange that i need first to trick your “defense” in order to implement a payment solution.

if you wish, here is the ray id that i’ve just got for this message: 22d0aeb728840c0b

however from my experience of dealing with cloudflare, it’s easier and more logical to disable BOTS detection defense for api urls, which are supposed to be opened by the “bots”, than to address their support and dig for logs, which won’t help in any case.

there is no need to switch off ALL of CF defense, it’s configurable. but bots protection on the api urls… em…

thank you.


(Trent Tech) #4

I’m getting blocked by this as well, though I suspect it’s because I’m currently on my work VPN. My day job is with a large, reputable global organization, though, so it’s not like my VPN’s IP is shady, or anything. But basically Cloudflare is asking me to enter Captcha values, which I (obviously) can’t do via a script.

This is most unfortunate - how often is this going to impact my potential customers?

UPDATE: I get blocked by then when I’m not on my work VPN as well. This is not good news.

UPDATE2: I’m even getting hit by this when I’m just trying to update this post. Security is important, but perhaps the controls are a bit too strong here?


(Gordon Zheng) #5

Hey @Trent, @Issay_Issay,

Thanks for the reports and apologies for all the trouble you’re having. We’re looking into this.

We definitely don’t want API requests to return CF challenge responses (which are HTML, not JSON). We also don’t want you to have to hack around this :). Can you tell me which specific URLs you’re trying that are returning these challenges? That’ll help us figure out if our page rules are doing their job.

Also, in the mean time, if you email me your IPs at gordon@dwolla.com, we can whitelist them for you.


Request Access token returning nil or Html page(Status code 403 forbidden)
(Trent Tech) #6

Hi Gordon. Thanks for understanding. My authUri is:

http://localhost:3111/dwolla/code

The URL I land on when trying to Authenticate with Dwolla is:

https://www.dwolla.com/oauth/user/login?returnUrl=https%3A%2F%2Fwww.dwolla.com%2Foauth%2Fv2%2Fauthenticate%3Fclient_id%3[MY_CLIENT_ID_HERE]2%26response_type%3Dcode%26scope%3DTransactions%7CRequest%7CFunding%7CScheduled%26redirect_uri%3Dhttp%3A%2F%2Flocalhost%3A3111%2Fdwolla%2Fcode&client_id=[MY_CLIENT_ID_HERE]&response_type=code&scope=Transactions|Request|Funding|Scheduled&redirect_uri=http%3A%2F%2Flocalhost%3A3111%2Fdwolla%2Fcode

I’ll mail you shortly with my IP address.


(Issay Issay) #7

well, my ips are dynamic, so…

the urls i can’t reach due to captcha requiring me to prove i’m a human are: https://api-uat.dwolla.com with all its resources and https://uat.dwolla.com/oauth/v2/token

it would be really marvelous if you could tell me how to work with your api with no access to these resources :). please, do not suggest me to issue all api calls by hand, this suggestion i won’t consider as a solution )).

ps. i know how to improve the defense. you can close the ports on these servers with a firewall. then it will become even safer :).


(Union Puertorriqueña De La Iglesia Adventista Del Séptimo Día) #8

Same problem here! I’m just submitting a form to this address: https://uat.dwolla.com/payment/pay.
If I write the captcha (by hand of course) I get a page not found error. The weird thing is that the third time I tried to submitt the page I waited for a couple of minutes then I reload the captcha page and I was able to submitt the payment with no problem at all…


(Gordon Zheng) #9

Thanks for the report @Union_Puertorriquena. We’re actively investigating this issue. What country are you attempting these requests from?

If you email me your IP address at gordon@dwolla.com, we can whitelist it as an interim solution.


(Union Puertorriqueña De La Iglesia Adventista Del Séptimo Día) #10

Hi everyone! Just to let you know that everything is working now. I didn’t do anything to my program so I imagine that the geniuses at Dwolla worked very hard in the weekend to fix the issue!
Thanks!


(Union Puertorriqueña De La Iglesia Adventista Del Séptimo Día) #11

I would like to make an update: The captcha page is back! :anguished:
Let me explain…

Last week, I was testing my app and every time I tried to make a payment I was redirected to the Cloudflare page. There, I was asked to type a captcha. Every time I entered the captcha, I got a “web page not found”. The same happened on my secretary’s pc. Since I wasn’t able to solve the problem, I left it rest by the weekend. On monday, my secretary and I did a lot of tests, she on her pc and I on my Mac, and everything worked perfectly. So, I invited the treasurer of the company I work for to do some tests. And, he wasn’t able to do any payments because each time he was redirected to the Cloudflare page.

Some things to consider:

  1. The computers we are using are all connected to the same network.
  2. After the treasurer was redirected to the Cloudflare page, my sercretary and I did some tests and we were able to make payments with no problems at all.
  3. I also tried to make a payment using my cellphone but I was redirected to the Cloudflare page. For this test I connected to using the cellular carrier and not through the work network.

Please, let me know what is happening or at least if this is a situation on Dwolla’s side you’re working on or is something I’m doing wrong.

Thanks


(Rodion Vshevtsov) #12

Hello to everyone.

Today I got the same problem as described above. Here is my case.

About 3 weeks ago I’ve integrated Dwolla’s API for payments from our iOS app. Everything worked fine. Today I’ve decided to check payments out and got CAPTCHA page and then (like @Union_Puertorriquena mentioned) I was redirected to the page with “Not Found” error.

All time I work from one network but don’t know if my IP was changed during last 3 weeks. Through VPN (to Amazon instance) works fine.

Thanks for any help and/or advice.

UPDATE: CloudFlare Ray ID is 2313e18e71e60a2a. Maybe it will help.


(Gordon Zheng) #13

Hi @rodion, @Union_Puertorriquena,

Sorry to hear about the trouble you’re running into with the CloudFlare CAPTCHA challenges. Our platform’s edge security may challenge clients based on their geographic origin. We’re actively investigating solutions to prevent this from affecting API clients.

In the mean time, we’ll do our best to get you over this roadblock by whitelisting your IP. Please email me the IPs you intend to send API requests from: gordon@dwolla.com


(Rodion Vshevtsov) #14

Sorry, I forgot to note that now we use form posting process on Sandbox (uat.dwolla.com) so user must login to authorise certain payment.


(Ricardo García) #15

Good morning, I’m bumping this post because I’m running into the same issue when doing calls to the API, send an email to gordon@dwolla.com, hope you guys can help me out.

EDIT: ray ID in case it helps 28bda43cf98603d0

EDIT: Just noticed Gordon isn’t a member of Dwolla anymore, where can I send my IP address so it can be whitelisted?


(Ben Schmitt) #16

Hi Ricardo - sorry for the problems and I can tell you we are actively working on some alternatives to improve this situation. That being said, as an interim step, can you send your info to security@dwolla.com and we will do our best to help you.


(Ricardo García) #17

Thank you Ben, email already sent, if you need more info let me know.


(Beny Cosma) #18

Hi, I have the same problem. Whenever I try to call an API from my iOS app I get a response with a HTML page containing the cloudfare block. How can I fix this?


(Ben Schmitt) #19

Hey @Beny_Cosma - thanks for the email - we should have you back up and running for now and will email you tomorrow with another adjustment.